Re-authenticating a logged-in User? #34
Comments
|
hmm, yes I see how this could be useful. I could expose a 'validate_credentials(username, password)' method that will only verify that the credentials are correct. |
|
That would fit the bill perfectly! Would that method be able to be used as a before_filter as well? Thanks for the reply - I'm new to rails and github and really appreciate the community and people I'm meeting. |
|
I'm reopening until this is fixed :) I'll see what I can do about before_filter... |
|
Sorry! Didn't mean to close it! |
|
Why not just require the current password when changing the critical information, all this can be achieved via validations? I currently have something like this (eventho the external? method does not work just yet ^^) # app/models/user.rb
validates_presence_of :password, if: :password_required?
validates_confirmation_of :password, if: :password_required?
validates_length_of :password, within: 5..255, allow_blank: true
# Checks whether a password is needed or not. For validations only.
# Password is always required if it's a new record, or if the password / email (or any other critical information)
# is being set somewhere.
def password_required?
password.present? || password_confirmation.present? || !external? || email_changed?
endi feel like this is the correct way, what good will reauthentication do to someone when i change his email and password, or maybe i just don't understand the UC you described or the validations achieve such |
|
I think the use-case is this: you are logged in, and away from the computer. |
|
Well in the end it is just about the validations, most likely it is going to be one form with multiple form groups (non-essential info like username or user profile info and then the essentials, credentials which can be handled via the validations i mentioned ... |
|
There is already a 'validate_credentials' inside sorcery, called 'find_by_credentials'. find_by_credentials takes an array of credentials and returns a @user or nil. |
|
I'm a bit of a noob and I'm having a little trouble getting that to work. Here is how I'm trying to call it: This is the error I get: wrong number of arguments (2 for 1) Thanks for pointing this out to me. @panva - I'm probably too much of a rookie to follow how to implement what you're suggesting, but I trust that it's probably better than what I'm trying to do. Would love to continue the conversation, if you feel up to it ever. Thanks! |
|
surround your params in an array ([]) like this: @user = User.find_by_credentials([params[:email], params[:current_password]]) |
|
ahh! Thanks! |
|
User.find_by_credentials seems not work, |
|
find a way. can use |
|
Yes, this should be the 'right' way. User.authenticate is part of the API. |
I apologize if this is the wrong place for this. I have asked on SO, but haven't gotten a reply, perhaps Sorcery is just too new right now.
I have a simple user model with an edit page. Currently you can change your email and your password (with a password confirmation) but I don't currently require you to type your old password again before changing any of that information.
I have a before filter that requires you to be logged in as well as a before filter to ensure you can only edit your own profile. However, in the case of public or shared computers, I would like to re-authenticate a user by making them type their password before they can change any critical account info and I'm having a hard time finding anything in Sorcery that would allow me to do this. Thanks!
The text was updated successfully, but these errors were encountered: